Request - backup/restore related security issue

I currently have a wget script that takes a daily backup of my firewall. You know… Just in case.

In the wget script i have to enter a username and password in cleartext. Therefore i have created a group with a backup user that only has access to /diag_backup.php

The problem, as i see it, is if my backup user gets compromised you could log into my firewall, download the configuration, alter the firewall rules, and reupload the configuration. Sure the firewall would reboot, and i would notice it. But it would be alot better to have a /diag_backup.php and a /diag_restore.php.

Setting it up with ssh and cron would be more secure and require no hacking. Have the firewall push its own config off to a box using an account that does ssh key only auth and upload the config to a write-only directory on the backup system. ACB isn't required, it just makes things easy/automatic.

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.